End to end encryption doesn't seem to encrypt files

The quick and dirty:
When I set up end to end encryption, and enable it on the laptop that has the files to back up, I am still able to access the files and see content from a terminal on the server where nextcloud server is running.
Does end to end encryption mean the data is only encrypted during transmission, and once received it is decrypted and stored without encryption? Or should the files also be encrypted on the server?

Additional information that may help provide a correct and useful answer:
So, before I start posting logs and stuff, I want to be sure this isn’t me misunderstanding what should be happening.
So I have created a test account, and used a test laptop running windows to download the desktop app to. I created some test files, and connected to the server. It uploaded all those test files just fine. The client told me that this server supports end to end encryption. So I enabled it, copied down the passphrase, and created some new files, expecting that if the old files didn’t get encrypted, at least the new ones would. These new files got uploaded, and were not encrypted on the server. I could still read the text files with nano.

What I want the end result to be:
So, basically what i am hoping for is for the files to be stored on the server unencrypted, that is NOT encrypted UNLESS the desktop app enables encryption, at which point the files on the server WILL be encrypted, giving each user the option if they want to have there files encrypted so they are secure, or have then unencrypted, so if they loose there password I am able to recover them.

So I enabled it, copied down the passphrase, and created some new files, expecting that if the old files didn’t get encrypted, at least the new ones would. These new files got uploaded, and were not encrypted on the server. I could still read the text files with nano.

E2EE, once enabled, only encrypts folders you (well, the end-user; not “you” the admin) specifically designate. It leaves all other files/folders alone (unencrypted). I think you’ll find this[1] recently updated documentation for it helpful. Hope that helps!

[1] end_to_end_encryption/README.md at master · nextcloud/end_to_end_encryption · GitHub

Okay, it seems as though I have encountered either a bug, or an user error… Well, 2 perhaps, but lets do one at a time. Let me share this screenshot with you.

So, the big green checkmark should indicate everything is synced correctly… Shouldn’t it? But then I get an error saying it isn’t synced correctly.

Well after waiting a bit, it managed to let me set the encryption. But then the server seems to be confused. Here is a screenshot:

Uh… DUH? Thats because I just created the file… I need you the server to create it. Thats why it doesn’t exist.

The server has this to say:
{“reqId”:“QlYha2gc8HyNGPbheiOx”,“level”:3,“time”:“2024-02-14T20:40:27+00:00”,“remoteAddr”:“”,“user”:“test1”,“app”:“no app in context”,“method”:“POST”,“url”:“/remote.php/dav/bulk”,“message”:“Unexpected EOF while reading stream.”,“userAgent”:“Mozilla/5.0 (Windows) mirall/3.12.0stable-Win64 (build 20240213) (Nextcloud, windows-10.0.22621 ClientArchitecture: x86_64 OsArchitecture: x86_64)”,“version”:“”,“data”:,“id”:“65cd2c31ebe71”}

Can you update to a supported version of Nextcloud Server? I’d suggest v27.1.5 as the closest to / most reliable of what you’re currently using. (v27.1.6 would be fine too probably, at least for E2EE purposes).

You’re running a wildly unpatched release lacking any bug (and security) fixes.

Okay, just to make things easier, I destroyed and recreated the docker containers, this time with the :stable flag (Latest was giving me that version I was using)
Nextcloud Hub 6 (27.1.6)

Okay. I am getting the same error on the client. On the server I am receiving no errors at the time of sync, but do have some errors from before that that seem related. This is a big one:

p.s. Perhaps there is a better stack I can use to create/run this container pair? I am not against a different VIDEO tutorial then the one I used. Bot anything that requires more then just a basic stack I can modify will require video due to my disabilities. I use and must use docker and portainer.

[no app in context] Error: OCP\Lock\LockedException: “/files_external” is locked at <>

  1. /var/www/html/lib/private/Files/View.php line 1150
    OC\Files\View->changeLock(“/files_external”, 2)
  2. /var/www/html/lib/private/Files/View.php line 244
    OC\Files\View->basicOperation(“mkdir”, “/files_external”, [“create”,“write”])
  3. /var/www/html/lib/private/Security/CertificateManager.php line 132
  4. /var/www/html/lib/private/Security/CertificateManager.php line 247
    OC\Security\CertificateManager->createCertificateBundle(“*** sensitive parameters replaced ***”)
  5. /var/www/html/lib/private/Http/Client/Client.php line 133
  6. /var/www/html/lib/private/Http/Client/Client.php line 80
  7. /var/www/html/lib/private/Http/Client/Client.php line 230
  8. /var/www/html/lib/private/App/AppStore/Fetcher/Fetcher.php line 123
    OC\Http\Client\Client->get(“https://apps.ne … n”, [60])
  9. /var/www/html/lib/private/App/AppStore/Fetcher/AppFetcher.php line 86
    OC\App\AppStore\Fetcher\Fetcher->fetch(“”, “”)
  10. /var/www/html/lib/private/App/AppStore/Fetcher/Fetcher.php line 193
    OC\App\AppStore\Fetcher\AppFetcher->fetch(“”, “”, false)
  11. /var/www/html/lib/private/App/AppStore/Fetcher/AppFetcher.php line 187
  12. /var/www/html/lib/private/Installer.php line 422
  13. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 252
  14. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 150
  15. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 76
  16. /var/www/html/lib/public/BackgroundJob/Job.php line 81
  17. /var/www/html/lib/public/BackgroundJob/TimedJob.php line 103
  18. /var/www/html/lib/public/BackgroundJob/TimedJob.php line 93
  19. /var/www/html/cron.php line 177
    OCP\BackgroundJob\TimedJob->execute([“OC\BackgroundJob\JobList”], [“OC\Log”])

Caused by:

InvalidArgumentException: $absolutePath must be relative to “files” at <>

  1. /var/www/html/lib/private/Files/View.php line 1985
  2. /var/www/html/lib/private/Files/View.php line 1150
    OC\Files\View->changeLock(“/files_external”, 2)
  3. /var/www/html/lib/private/Files/View.php line 244
    OC\Files\View->basicOperation(“mkdir”, “/files_external”, [“create”,“write”])
  4. /var/www/html/lib/private/Security/CertificateManager.php line 132
  5. /var/www/html/lib/private/Security/CertificateManager.php line 247
    OC\Security\CertificateManager->createCertificateBundle(“*** sensitive parameters replaced ***”)
  6. /var/www/html/lib/private/Http/Client/Client.php line 133
  7. /var/www/html/lib/private/Http/Client/Client.php line 80
  8. /var/www/html/lib/private/Http/Client/Client.php line 230
  9. /var/www/html/lib/private/App/AppStore/Fetcher/Fetcher.php line 123
    OC\Http\Client\Client->get(“https://apps.ne … n”, [60])
  10. /var/www/html/lib/private/App/AppStore/Fetcher/AppFetcher.php line 86
    OC\App\AppStore\Fetcher\Fetcher->fetch(“”, “”)
  11. /var/www/html/lib/private/App/AppStore/Fetcher/Fetcher.php line 193
    OC\App\AppStore\Fetcher\AppFetcher->fetch(“”, “”, false)
  12. /var/www/html/lib/private/App/AppStore/Fetcher/AppFetcher.php line 187
  13. /var/www/html/lib/private/Installer.php line 422
  14. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 252
  15. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 150
  16. /var/www/html/apps/updatenotification/lib/Notification/BackgroundJob.php line 76
  17. /var/www/html/lib/public/BackgroundJob/Job.php line 81
  18. /var/www/html/lib/public/BackgroundJob/TimedJob.php line 103
  19. /var/www/html/lib/public/BackgroundJob/TimedJob.php line 93
  20. /var/www/html/cron.php line 177
    OCP\BackgroundJob\TimedJob->execute([“OC\BackgroundJob\JobList”], [“OC\Log”])

GET /cron.php
from at 2024-02-15T16:51:25+00:00

Okay, just to make things easier, I destroyed and recreated the docker containers, this time with the :stable flag (Latest was giving me that version I was using)

This will happen if you’ve previously pulled that image (e.g. 6+ months ago). Docker just uses the image from your local cache until you tell it to pull an image again to get a newer one.

I can’t say how to check in Portainer offhand, but the native Docker command will show you the age of that image:tag combo:

docker image ls nextcloud:latest

InvalidArgumentException: $absolutePath must be relative to “files” at <>

Looks like something unexpected with an External Storage mount. Are all your External Storage mounts working?

Yes, the filesystem is fine. I have SSHed into the client and am able to view/work in those directories (That’s why I knew the files before were not being encrypted on the server, and I tested again.)
Okay, so I decided to set up again from scratch, because why not? Gave it a new folder to work with, set it with permission 777, and then right after setup I got this error. I will try ignoring it, and doing things one step at a time to see if other errors pop up, or other things occur.

[index] Error: RuntimeException: Could not get appdata folder for preview at <>

  1. /var/www/html/lib/private/Files/AppData/AppData.php line 147
  2. /var/www/html/lib/private/Preview/Storage/Root.php line 74
  3. /var/www/html/lib/private/Preview/Generator.php line 613
  4. /var/www/html/lib/private/Preview/Generator.php line 139
  5. /var/www/html/lib/private/Preview/Generator.php line 116
    OC\Preview\Generator->generatePreviews([“OC\Files\Node\File”], [[250,250,true,“fill”]], “text/markdown”)
  6. /var/www/html/lib/private/PreviewManager.php line 192
    OC\Preview\Generator->getPreview([“OC\Files\Node\File”], 250, 250, true, “fill”, null)
  7. /var/www/html/core/Controller/PreviewController.php line 144
    OC\PreviewManager->getPreview([“OC\Files\Node\File”], 250, 250, true, “fill”)
  8. /var/www/html/core/Controller/PreviewController.php line 113
    OC\Core\Controller\PreviewController->fetchPreview([“OC\Files\Node\File”], 250, 250, false, true, “fill”)
  9. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 230
    OC\Core\Controller\PreviewController->getPreviewByFileId(53, 250, 250, false, true, “fill”)
  10. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 137
    OC\AppFramework\Http\Dispatcher->executeController(["OC\Core\Cont … "], “getPreviewByFileId”)
  11. /var/www/html/lib/private/AppFramework/App.php line 183
    OC\AppFramework\Http\Dispatcher->dispatch(["OC\Core\Cont … "], “getPreviewByFileId”)
  12. /var/www/html/lib/private/Route/Router.php line 315
    OC\AppFramework\App::main(“OC\Core\Controller\PreviewController”, “getPreviewByFileId”, ["OC\AppFramewo … "], [“core.Preview.getPreviewByFileId”])
  13. /var/www/html/lib/base.php line 1068
  14. /var/www/html/index.php line 38

GET /core/preview?fileId=53&x=250&y=250
from by admin at 2024-02-15T18:12:07+00:00

So, after ignoring it, I got another message, a warning this time about not being able to connect to the app store. And again, everything syncs EXCEPT the encrypted folder. Nothing in the logs to help, and vague message on the client.
Since everything else syncs fine, unless there is something I am not thinking about, I would guess that in itself proves the external filesystem is fine.
Forgive the question… Is there a dumbed down, simple version of this that “Just works?” I am not trying to be rude, I am just trying to find a simple solution. I don’t need about 90% of what comes with this. I need backup, that is automated, and either is, is not encrypted at the client descension. To be honest, getting this working may be for nothing, as I need to be able to add a folder encrypted. The client seems to refuse to encrypt a folder unless it is empty, I need to be able to add it and have it encrypted off the bat. So I guess I should ask if that si even possible.
Sorry if I am getting a bit ranty, I am just getting very frustrated. I have been putting this off for over a year because of the mass frustration of getting this working how I need.

Can you share your actual Compose file as well as the output of occ config:list system from inside your container?

The way this thread started it did not appear it was going to go this deep so I did not request it, but typically we’d ask for all that before even responding.

These errors do not simply come up in a clean install so something else is going on here.

What installation guide did you follow?

An app store connection error indicates your app container either lacks outbound connectivity DNS resolution.

And you’ve talked about recreating things several times, but I’m unclear whether you’re also destroying volumes in between as well as your database container state, etc.